PT-2024-20771 · Red Hat+1 · Openshift Dedicated+1

Robb Gatica

Published

2024-12-19

Updated

2025-01-10

CVE-2024-25131

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OpenShift Dedicated versions prior to v0.0.0-20240604173837-d1557bc283dd

Description A flaw was found in the MustGather.managed.openshift.io Custom Defined Resource (CRD) of OpenShift Dedicated. This issue allows a non-privileged user on the cluster to create a MustGather object with a specially crafted file and set the most privileged service account to run the job, potentially escalating their privileges to a cluster administrator and pivoting to the AWS environment.

Recommendations For OpenShift Dedicated versions prior to v0.0.0-20240604173837-d1557bc283dd, update to version v0.0.0-20240604173837-d1557bc283dd or later to resolve the issue. As a temporary workaround, consider restricting access to the MustGather CRD to prevent non-privileged users from creating specially crafted files.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1336CWE-20

Related Identifiers

CVE-2024-25131

GHSA-77C2-C35Q-254W

GO-2024-3349

OPENSUSE-SU-2024:14608-1

OPENSUSE-SU-2025_0060-1

SUSE-SU-2025:0060-1

Affected Products

Openshift Dedicated

Suse

PT-2024-20771 · Red Hat+1 · Openshift Dedicated+1

CVE-2024-25131

Weakness Enumeration

Related Identifiers

Affected Products

References · 37